The 3 Pillars of Enterprise Cyber Risk Management
Equifax. Target. The Office of Personnel Management. Each new cyber hack victim has a story that makes the need for cyber risk management more urgent. Any organization hoping to maintain operational resilience during disruption should implement risk management. Unfortunately, that comes with many unknowns: Which risk management framework to use? Is risk management expensive? What's the return on investment? This post will help you guide your organization out of this decision paralysis by introducing the three pillars of an enterprise risk program.
Prerequisite: Determine the maturity of your organization's current risk program
Various capability maturity models measure enterprise risk management, such as the model used by the Risk Management Society (RIMs). Organizations with more mature risk management might adhere to ISO, COSO, NIST, or another standard risk management framework. Less mature programs can still improve C-suite decision making simply by having a common lexicon, understanding, and appreciation of risk management. Organizations with very low risk management maturity might not know where to begin. However, until any organization knows where its risk management program stands, it's difficult to know what to do next.
Pillar 1: Governance structure
A governance structure is the first pillar of any risk management program. It provides an enterprise with a body of experts and decision makers on the potential impacts and actions associated with risk decisions. Just as the White House has mandated that accountability for cyber risk management fall to agency heads (Executive Order 13800), risk management must be driven from the top of any organization. A general model may include periodic meetings of a C-suite risk committee, informed by mid-level managers in subcommittees. Ideally, the subcommittees should offer risk committee executives options that balance resource demands.
Executives often have difficulty treating technologically complex cyber risks with the same degree of care as other enterprise risks. The risk committee will need a common vocabulary and fair comparisons of risks in order to make and weigh business cases for risk response plans. Regardless of risk type--cyber or otherwise--even more fundamental is a structured statement of risk appetite, which limits the threat of ambivalence and confusion.
Pillar 2: Risk Appetite
Every organization must know how much risk it can tolerate. A documented risk appetite statement lists categorized risk tolerance ranges that align with the organization's strategic objectives. The risk appetite statement helps the organization confidently employ its strategy with explicit direction on how much risk can be taken.
The ranges of tolerance in a risk appetite should be scaled to accommodate various levels of the organization. This way, all members of the organization can understand when to escalate an identified risk. At a practitioner level, a quantitative appetite statement should provide enough context and direction for the practitioner to conduct everyday activities. For example, explicit limits on unplanned system outages should enable front-line workers to discern if they should procure new software in light of possible vulnerabilities. Appetite statements can be tricky to develop, especially if the organization is culturally intolerant to new risks. However, a thoughtful appetite statement can empower employees to bring risks forward in a quantitative manner that ties risk directly to the organizational strategy.
Pillar 3: Policy and Procedure
With adequate risk governance and documented appetite, organizations can begin to weave risk management practices into their culture. Executives must communicate expectations to the organization through their management teams, usually through policy and procedure and potentially as part of a global policy structure.
From the first day of employment, employees should be oriented to fundamental risk concepts--not necessarily to the degree of a practicing analyst, but enough to build a fundamental awareness of risk as they perform daily tasks. Similar to Crew Resource Management (CRM) used by airlines or emergency response procedures used by nuclear power plants, employees should be educated and empowered to raise concerns and take appropriate actions to respond to disruptions. Similarly, the policy and procedure should provide tools that facilitate decision making and resource allocation to prepare for disruptions.
Foundation for Resilience
The three pillars of robust risk management support an organization's operational resilience, or the ability to accomplish the organization's mission during disruption. Ultimately, organizations must treat risks as having their own life cycles that span the enterprise's desire to accomplish strategic goals.
The CERT Resilience Management Model (CERT-RMM) is the basis for several SEI tools that help organizations measure the maturity of their operational resilience and plan for its improvement. Using CERT-RMM in conjunction with the CERT OCTAVE method offers an even more extensive approach. OCTAVE, which the SEI is currently updating to OCTAVE FORTE (Facilitated process for managing Operational Risks Tailored for the Enterprise), delivers customizable training and facilitation for effective enterprise risk program implementation. In particular, OCTAVE FORTE uses a holistic approach to risk management and teaches executives, CISOs, and other cyber professionals how to communicate risks across the enterprise by using a tiered governance structure and a quantitative risk appetite. Download the CERT-RMM for free, or learn more about CERT-RMM appraisals.
Even if your enterprise navigates the turbulent storm of cyber threats by luck alone, preparing for disruption builds a culture of mission focus. To maintain that focus in the midst of bigger and more frequent cyber attacks, robust risk management and operational resilience are more important than ever.